How to enforce an enterprise data leak prevention policy

The ways in which modern businesses exchange and communicate information have evolved very fast
in the last few years. We used to be limited to phone, fax, or hard copy, but now there's instant
messaging, Skype, blogs, Twitter, smartphones and, of course, email.

Stopping sensitive information from escaping from an organisation has always been a problem, but
the proliferation of these new mobile and other communication channels means it's easier than ever
for data loss to occur, either accidentally or maliciously.

As part of any

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

data
leak prevention plan, employees need to be informed of the risks of using various communication
channels and how to guard against the psychological triggers used in social engineering-based
attacks. This should be part of their information handling training. Every employee should know how
to identify confidential information and appreciate his or her own role in keeping it secure.

Before you launch a round of security awareness training, though, check that your security
policies are indeed up-to-date, particularly sections covering the acceptable use of blogs, Skype
and smartphones; do you really want to allow phones with cameras in restricted or sensitive areas?
Maybe you need to disable USB and FireWire ports or set strict access times for certain data. You
certainly need to state the only methods by which sensitive information can be transmitted.

Also be aware of possible side effects when making changes to IT policies. For example, if you
limit the size of email attachments to reduce bandwidth usage, everyone's likely to look for
alternative ways of sending large files. These will typically be non-compliant and insecure
workarounds.

Neither should your security policies prevent employees from doing their jobs. If certain staff
regularly need to work weekends at home, give them a secure VPN connection to access files at work
so they're not tempted to email them to their home email address. Make it easy for them to follow
data
leak prevention best security practices.

Data loss prevention technology
But policies and staff training alone will not solve the data
leakage problem; you need technology to help you manage and protect intellectual property
throughout its lifecycle, and figure out where it is and where it's going. This is where data loss prevention
(DLP) technology comes in. Unfortunately, there's a lot of confusion in the market place about
what constitutes a data loss prevention product. The term has been applied to everything from full
suites to basic encryption and USB port blocking technologies.

For more on data classification

Michael Cobb explains how the Security
Policy Framework (SPF), which contains security guidance for HMG agencies, can be a useful data
classification guide for other enterprises

Before you start looking at what's on offer, you need to
classify your organisation's data to understand what data needs protecting and what the level of
risk is. (Read my previous article: How to create a data classification policy.) This will help you decide on the
appropriate level of data loss prevention you need.

Data classification undertakings have led some organisations to opt for content discovery tools
instead of network monitoring tools. Content discovery products scan stored data looking for
sensitive and classified information that is not protected or is located on inappropriate machines.
It's vital to know where your data is before trying to protect it!

Network data loss prevention devices such as Symantec Corp.'s Data Loss Prevention and McAfee
Inc.'s Network DLP Prevent monitor when and where data is moving. Using a profile of an
organisation's intellectual property, based on its data classification scheme, the tools analyse
each outgoing packet, preferably on all ports and protocols, responding in various ways depending
on the profile matched. Rules can be implemented to ensure certain classifications of information
are encrypted to prevent them from exiting the perimeter in an unauthorized state – great for
meeting compliance requirements.

Web security gateways could be a possible alternative to DLP devices here. Not only do they
protect your users from malicious sites and malware, they also monitor the types of files going
through the network perimeter and scan documents for phrases and terms that could potentially cause
data leakage. Coordination of content policy across all communication channels can be a lot more
efficient when they are all passing through one box. This also means that they can produce an
evidence chain of consolidated data to help challenge risky user behaviour.

Network monitoring can certainly catch many types of leaks, but it won't stop a determined thief
or an authorized user from copying files from a workstation to a USB drive. This is why disk
encryption and thumb drive controls are currently the most common data protection devices, as
there's always the possibility of a dishonest employee. Products such as McAfee's Host Data Loss
Prevention and Utimaco Inc.'s SafeGuard PortProtector monitor endpoints and devices and block or
log files that are written to or read from devices connected to the network.

For any employees in sensitive positions, HR should carry out
thorough background checks, and job descriptions should include nondisclosure and confidentiality
agreements. Also there should be a defined chain of command for escalation procedures should
someone become suspicious of a colleague's behaviour. One way to help people stay honest is to make
sure that everyone knows what security controls are in use; someone's far less likely to try to
copy 1,000 customer records if they know it will set alarm bells ringing. Access to sensitive data
should, of course, be controlled with strong authentication and minimum privileges.

This is something I want to discuss in my next article as data leakage often occurs because of
poor business processes or system design. I'll also be looking at ensuring that database design and
data inference don't put a hole in your data
loss prevention strategy.

About the author:Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a
consultancy that offers IT training and support in data security and analysis. He co-authored the
book IIS Security and has written numerous technical articles for leading IT
publications.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.